One year ago, I decided to buy a car for my family. So far we've been using, we've been renting cars. We've been using car sharing services, and I decided to switch to a more prominent solution. So among many, many criteria when choosing a car, when you, especially when you are a paranoid risk manager, looking for security, right? So I went to the Euro endcap website when I had the chance to look at many results of many crash death. And I realized one thing, the car industry is using security as a competitive advantage.
Security is embedded in the car manufacturing industry and car manufacturing industry has made huge progress and the physical security of the cars. And it's now competitive advantage because well, if the crash test is negative or the, the rating is average, as a customer might switch to another model. But interestingly, although physical security has become more secure, the cars are becoming less secure because of the lack of security of the appliances that control the cars. Right? We know that we can hack cars from remote. That's very interesting.
And we're actually in an era where we breathe security. We don't really realize that we like fishes, who swim in the water. As long as they're in the water, they don't, they don't realize they need the water. But as soon as they're taken out of the water, they start realizing that it's vital for them. And we have it everywhere in the cars. We have it in the planes. We have it with us, everything is it controlled.
And it has been used to create value in the companies. What is a company? A company is a business to create value for the shareholders.
It's as simple as that, we don't make a company just out of fun. We want to make money for us solve shareholders or for other shareholders. So we've been using information technology as a value creator. Take the example of email. Email is a wonderful means of communication.
However, as soon as we introduce technology, we introduce problems. 91% of cyber attacks come from email. So it's a competitive advantage because we communicate faster. We don't even realize we use email. I personally haven't have never worked in a company that doesn't use email. I I'm too young for that. I never experienced that before, but email is a vector for cyber attacks. And although technology creates value, it can lack of security in the technology can also destroy value. This is the, the, the share prices of Equifax.
So we see that the shares drastically dropped last year after the data breach was revealed. So the market cap drastically decreased, and this lack of security destroyed value in Equifax and this year. So they've been steadily growing back again. And this year they announced end of Q2, end of Q3, that they spent 200 million year to date on this data bridge. And we see that the market cap drops again.
So this is an example of destroying value through bad security who is responsible for security in the companies.
My point of view is that the CEOs are the guys who are running the infrastructure and should be also responsible for securing the infrastructure. Can you imagine a pilot who says, well, I don't care about security. My task is to fly from point a to point B in time. I don't care about your security concerns. The weather is bad, but I never crashed my plane. So I will be fine.
CIOs, more or less say the same. Well, I don't care about security. And after all, I don't know anything about security is not my business. My business is to run the it, I think it's, yeah, it's, it's a perfect example because in companies where in small medium businesses where you don't have any CSOs, you have a CIO who is responsible for the infrastructure and he should, or she should be also responsible for security. So that being said, the question is how we security can bring, can create value in the company security functions. How can we bring value?
How, how can we create value?
If I said that the CIO is responsible for security, does this mean that we don't need a scissor, might be in other words, who and how can we ensure success of security in the companies so far? We've been very we've. We haven't been very proactive. We have quite, we have been defensive, you know, let the bad guys out, might find, but it's not. What do we do? We just respond, but we, we're not really proactive. And we don't really use the tools we have to create the value companies need.
Of course, selling securities, extremely difficult. Ask the counter-terrorism today's 13th of November, three years ago in Paris, there was a huge terrorist attack. And nobody believed before that, that it could happen. Specialists of anti-terrorism were very concerned by the lack of preparation and boom, this happens and suddenly governments realize, oh, we need to do something against that. Then you get funding, et cetera. And we all know this in our companies. As soon as you have an event, then you get the, the funding it's difficult to sell because it's not rational.
Imagine that you open a new market. So you say, well, I need three sales people. And the sales will increase by 50%. That's very rational. Yes. You can prove it. Security is quite difficult.
So to sell our concerns, we need several. From my point of view, we need several key skills and focus. Yeah. On several key skills. What should be the role of the C today? I don't think that having a master's in cybersecurity, having spent hours on working on a C S S P and being reduced to a role where you challenge the CIO about, do you have backups? Do you have disaster recovery?
Do you patch your systems? How do you configure your systems is really interesting. This role should be given to controlling function because it's the really basics. We don't really need to have years of experience just to tick the box and say, well, he doesn't have backups. He doesn't have security controls. He doesn't patch the systems. He doesn't have any disaster recovery. And it's way too common in it. From my point of view is the CSO. I don't want to, I don't really want to pay for something I already know. Right.
When you have Odis coming to you and say, well, sir, we noticed that user access management is not properly managed in your company. I say, yeah, yeah, I know. Yeah. I know. It's I know that I don't really want to pay you for that because I already know the answer. So if I pay 50 grand DDIs to tell me something, I already knew, I destroy the value in the company, right?
And it's regulatory DDIs, etcetera.
So the C from my point of view, should be someone who proactively comes to the business and proactively comes to it with projects that will bring the value they need.
You come to the CIO and say, well, you know, the algorithm we use to encrypt our data is outdated. Well, we know it will, it has been breached or it always soon breached. So we'll need to change that. Or you come proactively. You've been in a very interesting conference in Berlin, and you've heard about zero trust. So you come to your it and say, well, you know, there is a concept now, which is zero trust. Let's see how we can embed that in the company, right? This is an interesting consulting role. If you tick the box and say, we'll have nothing about user access management, we're fine.
It's not interesting.
The problem is that you have to convince your management committees. You have to convince your boards that you need money. You need funding. You need means for that. If you say, well, I want to do this project. They tell you, well, please do have some money. Oops.
Well, I don't right. Come back next year for the budget, let let's speak. You have to become influential. You have to become influential and create a network in, in your own company. When I say influential, I'd like to pick up, you know, projects like say VDI, that can create value. You come to your procurement and say, well, you know, we about to change the PCs in the company. They're outdated. We have new versions of windows coming. They're three, four years old. It's already, you know, the edge we have to change them.
And you know, there is something which is called VDI, you know, and think about that because if we remove the PCs and put those small boxes in your, on a desks, then we'll get rid of the PCs. And we we'll get rid of renewing that every three years with all the burden that it implies.
Well, yes. Why not? And then you go to sustainable development and you say, well, you know, today is a very fancy to do sustainable development. Let's do VDI because we will get rid of the PCs. We won't have to put them on the recycle every three years and manipulate that and remove the, the hard drives and wipe them out securely and all this stuff, which cost money. Yes. That's a good, that's an interesting question.
Plus, we will decrease the electricity cost because it uses less electricity. Ah, yes, that's a good one. And by the way, we also increase security because well, we, virtualization adds some security layer and by the way, it also adds features for business continuity. It's easier to develop.
I mean, to, to, to build, I mean, your office burns. If you want to deploy your PCs, your virtual pieces, it's much easier than if you have to do that physically or yes. That's an interesting approach. I speak about user access management, user access management implies a lot of people starting with HR, HR, and it always complained that they don't have the right information.
It says, well, we don't have information from HR, from, from HR. When people arrive in the company, we don't know exactly where they work. So are we just waiting for information? We copy paste accesses. And quite often people are waiting several days to get their accesses. So they're not productive when they switch department on when they join a department.
Oh yeah. That's a good one.
HR, you go to HR and say, okay, we want to solve your problems. And it's a huge problem with HR. We want to solve your problems because you are supposed to get information in time and display it and have some feedback from it to display, to get information to your other users, to the newcomers and you don't get them.
So let's, let's revamp the process. And by the way, we will also increase security.
Ah, yeah. How well we define, let's say we'll implement role-based access control in a company we'll define role-based access and that's easier, much easier when people arrive, switch jobs.
I mean, change jobs or leave their jobs to have the excesses cleaned or in time, or that's a good one. So by doing those two projects, you've touched procurement. You've you touch HR, you touch it, you touch sustainable development. You touch maybe, maybe general services who have to manipulate the pieces, all the stuff. And maybe your, I mean, business continuity department or business continuity function. So you become influential people who know you in the company and say, well, this guy has interesting ideas. He's not only coming with security, only ideas. It's something that is embedded.
And he's got a strategic vision to do that. You need money. It costs a lot of money and you have to talk to your CFO, another stakeholders, another, sorry, another stakeholder, another key stakeholder.
You have to get funding and you have to be, be able to speak a language that the CFO understands and you have to communicate that properly. So you come to your CFO and say, well, you know, we have 200 printers in the company. My idea is to replace them by 40 multifunction printers. By the way, we also remove the faxes, the scanning machines and all this, you know, color photocopiers. Yeah.
Okay. So what is the cost of that?
Whoa, wait a minute. Will decrease. Manipulating cost will decrease maintenance cost will decrease paper consumption. And I calculated the net present value of this project.
What, what net present value? Oh, you speak the same language as I speak. Yeah.
I, I, I computed the calculated, the net present value of this project and it's positive. Guess what? So what do you think? Do you want to be my advocate in implementing multifunction printers? And by the way, that solve security problems, title catch, for instance, you put, follow me printing features. It increases also your preparedness for business continuity. So the CFO starts being interested by the way, talking to him. But you have to communicate that
When startups pitch VCs, they usually have one minute to talk to the VC.
So they have one minute to pitch the guy in front of them and convince him or her that the money that their project will make money and needs. This funding is a real, again, real Bonanza. So if you have five, 10 minutes to convince your management committee board CFO, that your project makes sense that the money you're asking for makes sense and creates value for your company. Then you start becoming influential and a key people in this company. But for that, you need to have the skills to proper communicate and you need to speak the same language.
Otherwise, if you start explaining in very technical terms that you need money for this or this security project, well, people start and they, they lose you immediately and they switch to something else. They will probably very politely listen to you, but it will end with nothing. So my three key takeaways from this keynote
CSOs should develop soft skills, influe influencing skills, negotiation skills. You have to negotiate a budget and you have to understand the point of view of the CFO. And the CFO has to understand your point of view as well. You have to be a good communicator as well.
You have to find projects that create value that have business value, or you have to find the way to sell that from a business value point of view. And my third key takeaway is maybe that CSOs should come back to school and study the business. Not only the technical stuff in information security, but study business side and understand how the business works, how the business thinks, how the business is interested by their projects. Thank you very much.
